Re: 389 <=> AD group sync

Matti Alho <listat@xxxxxxx> · Fri, 07 Dec 2012 12:11:15 +0200

On 12/03/2012 10:20 PM, Rich Megginson wrote:
On 12/03/2012 12:00 AM, Matti Alho wrote:
I don't know.  Looks ok to me.  I guess the next step would be to
reproduce the problem with the
http://port389.org/wiki/FAQ#Troubleshooting Replication log level
enabled, and then look in the errors log to see why the group add
operation is not being sent to AD.

Here are some relevant log entries with replication logging. Any ideas
or should I try to change log level to get more information?

Not sure.  This looks as though it is attempting to replay a modify
operation made on the 389 entry cn=testgroup,ou=People,dc=domain,dc=com,
but the corresponding AD entry cn=testgroup,cn=Users,dc=domain,dc=com
does not exist.  Did the full manual update create the entry
cn=testgroup,cn=Users,dc=domain,dc=com in AD?  If not, why not?  In your
first message you said
/Any changes to//  groups on 389 side do not get synced to AD unless I do a full manual//  update triggered via console/

Can you verify that, after doing a full manual update, you have
cn=testgroup,ou=People,dc=domain,dc=com in 389 and
cn=testgroup,cn=Users,dc=domain,dc=com in AD?

Yes after a full manual update entry appears in AD.

Here are log entries after I add another entry and before I do a full 
update.

I noticed this:
dn="cn=stilltesting,cn=Users,dc=domain,dc=com" (not present,add not allowed)

What could cause that? Some AD permissions? It's a bit weird since full 
update works.

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - changelog program - 
agmt="cn=winsync" (adtest:636): CSN 50c1ba8c000000010000 found, position 
set for replay

[07/Dec/2012:12:02:46 +0200] agmt="cn=winsync" (adtest:636) - load=1 
rec=1 csn=50c1bec7000000010000

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Looking at add operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" (ours,not user,group)

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" guid="(null)"

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: looking for AD entry for DS 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" username="stilltesting"

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): map_entry_dn_outbound: entry not found - rc 0

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): windows_replay_update: Processing add operation local 
dn="cn=stilltesting,ou=People,dc=domain,dc=com" remote 
dn="cn=stilltesting,cn=Users,dc=domain,dc=com"

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): process_replay_add: 
dn="cn=stilltesting,cn=Users,dc=domain,dc=com" (not present,add not allowed)

[07/Dec/2012:12:02:46 +0200] agmt="cn=winsync" (adtest:636) - 
clcache_load_buffer: rc=-30988

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No more updates to send (cl5GetNextOperationToReplay)

[07/Dec/2012:12:02:46 +0200] agmt="cn=winsync" (adtest:636) - session 
end: state=5 load=1 sent=1 skipped=0

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Beginning linger on the connection

[07/Dec/2012:12:02:46 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: sending_updates -> wait_for_changes

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> wait_for_changes

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: wait_for_changes -> ready_to_acquire_replica

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Cancelling linger on the connection

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: ready_to_acquire_replica -> sending_updates

[07/Dec/2012:12:03:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Consumer RUV:

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389} 
505aedad000000010000 50c1bec7000000010000 50c1bec6

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}

[07/Dec/2012:12:03:11 +0200] - _cl5PositionCursorForReplay 
(agmt="cn=winsync" (adtest:636)): Supplier RUV:

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replicageneration} 505ae68e000000010000

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 1 ldap://ldapnew.domain.com:389}
505aedad000000010000 50c1bec7000000010000 50c1bec6

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): {replica 2 ldap://ldapnew2.domain.com:389}

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): No changes to send

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): Beginning linger on the connection

[07/Dec/2012:12:03:11 +0200] NSMMReplicationPlugin - agmt="cn=winsync" 
(adtest:636): State: sending_updates -> wait_for_changes

-Matti
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users